(September 5, 2023) - Howard P. Goldberg of MG+M The Law Firm discusses court decisions, liability exposure and insurance issues relating to the Illinois Biometric Information Privacy Act (BIPA).

Illinois' Biometric Information Privacy Act (BIPA or the Act), passed in 2008, aims to protect a person's unique traits. In essence, BIPA safeguards an individual's biological qualities — fingerprints, retinal scans, and facial geometry — from unauthorized disclosure. These differentiating physical characteristics, which separate each of us from one another, are extraordinarily sensitive. Moreover, the necessity of this data to access buildings, airports, bank accounts and our phones (among many other things) illustrates why regulations such as BIPA are necessary to protect an individual's autonomy.

BIPA provides a private right of action for violations of the Act as a result of the improper disclosure of biometric data. Plaintiffs have filed hundreds of lawsuits in state and federal courts concerning the retention, collection, disclosure, and destruction of their biometric data. Litigation stemming from the Act is increasing. For example, in 2022, 250 BIPA suits were filed in the state of Illinois. This year is trending to surpass that number, with plaintiffs filing just over 180 BIPA suits in the first four months of 2023.

The potential financial and reputational liability for companies found to have violated BIPA are severe, and the reported settlements of BIPA claims are extremely large. Compounding the litigation risk companies face is the availability of insurance coverage. While policy holders look to their insurance providers for reimbursement on BIPA claims, insurance carriers have pointed to policy exclusions to avoid responsibility for BIPA damages, attorney fees, or costs.

Added to this natural tension between insured and insurer is that courts have addressed BIPA differently — from statutes of limitation and choice of law questions to insurance exclusions — leading to general uncertainty surrounding BIPA liability. The bottom line is that there is no uniform precedent that clearly lays out when a litigant is entitled to recover the costs for defending or settling BIPA claims. Given the potential financial liability for BIPA exposure, this tension creates an uncomfortable and unclear future for companies that utilize biometric data.

The recent Appellate Court of Illinois decision in Remprex, LLC v. Certain Underwriters at Lloyd's of London illustrates this conflict and provides one perspective on the challenges faced by companies and their insurance providers.

In April 2019, a truck driver sued BNSF Railway Co. (BNSF) in the Circuit Court of Cook County, Illinois, alleging that BNSF improperly used his fingerprints in violation of BIPA. Remprex, a company that offers a range of services that utilize biometric identifiers, was not a party in that case.

The plaintiff subsequently filed a second suit in the United States District Court for the Northern District of Illinois alleging BIPA violations against Illinois Central Railroad Co. (Illinois Central) and CN Transportation, Ltd. (CN). While Remprex was initially named as a defendant in the federal lawsuit, it was ultimately dismissed from that action.

Following a full trial in the BNSF matter, the jury ruled in plaintiff's favor and awarded $228 million in damages. BNSF is presently appealing the judgment based on the instructions to the jury regarding damages. The jury was merely asked how many times BNSF violated the Act negligently, or how many times it violated the Act recklessly or intentionally.

Because the jury found that BNSF recklessly or intentionally violated the Act 45,600 times (based on the defense expert's estimated number of drivers whose fingerprints BNSF registered), the Court calculated that BNSF must pay $5,000 for each of the 45,600 purported violations. The Court then invalidated that award in June 2023, holding that jurors should have been instructed that damages are not mandatory in BIPA cases so that the jury could determine damages for themselves. The discretionary nature of damages under the Act adds another layer of uncertainty for insureds and their carriers in the BIPA context. A new trial is scheduled to commence on Oct. 2, 2023.

Following the verdict, BNSF sought indemnification from Remprex pursuant to a contract executed between those entities.

Remprex maintained a policy with Lloyd's of London that provided coverage for data, media, and network liability. As such, Remprex initiated an action for declaratory judgment against Lloyd's in August 2020, before the BNSF case had gone to trial, for defense and indemnity costs. The court dismissed the case on Lloyd's motion, and Remprex appealed.

Applying New York law, the appellate court determined that Remprex was not subject to a claim as defined by its policy with Lloyd's. Remprex was not a defendant in the BNSF suit, and BNSF's indemnity demand pursuant to its contract with Remprex did not constitute a "claim." As a result, the court ruled that Lloyd's was under no obligation to defend or indemnify Remprex in the BNSF case.

Interestingly, however, the same appellate court came to the opposite conclusion as it related to Lloyd's obligations to indemnify Remprex in the Illinois Central/CN case, and determined that Lloyd's was required to defend and indemnify Remprex because the underlying facts — violations of one's right to privacy under BIPA — constituted a claim "during the 'course of creating media material.'" Because Remprex maintained a media liability policy with Lloyd's, the court reasoned, Lloyd's was responsible for indemnifying and defending Remprex in the Illinois Railroad/CN case.

BIPA codifies aspects of an individual's right to privacy as it relates to one's unique biometric information. Many federal courts view lawsuits asserting a violation of privacy rights as falling within the advertising injury provisions of corporate insurance policies.

The problem facing companies and their carriers in relation to BIPA and other statutes that protect an individual's personal information is how federal and state courts will apply certain policy exclusions to BIPA cases. For example, if an individual's biometric identifiers are disclosed improperly as a result of a cyberattack or data breach, would coverage exist? The Illinois appellate court's decision in the Illinois Railroad/CN case — providing coverage pursuant to the media liability provisions of Remprex's policy, but denying coverage based on the cyber and network breach sections — highlights this strain.

Finally, the BNSF/Remprex appeal was decided under New York law, perhaps limiting its applicability moving forward. Regardless, it is clear that companies and their carriers must be wary of claims under BIPA and similar statutes, as the legal landscape remains murky at best, while the potential liability is enormous.